7/27/2014

Electronic aura could be answer to lost passwords

Cambridge scientist plans to develop device that would store electronic details and keep them secure. You are trying to book theatre tickets online with a rarely used credit card. Prompted to give a password, you find you can no longer remember it. The result is a failed transaction and a minor rise in blood pressure.

It gets worse. While shopping later on, you drop your car keys. An opportunist picks them up and wanders around the shopping mall's car park pressing the unlock button until your vehicle lights flash on. The result is a stolen car and a major rise in blood pressure.

Nor are you alone. Electronic security has become a headache for millions of people as they struggle to keep their systems and devices secure – though one leading expert believes he has found a solution. According to Frank Stajano, reader in security at Cambridge University's computer laboratory, each of us needs an electronic aura, a field that would extend no more than two or three feet from our bodies and which could be generated in a similar way to a Wi-Fi signal, only over a very short distance. Crucially, signals generated within the aura would uniquely identify its owner and permit only his or her electronic devices to work when they are close to that person.

Outside your electronic aura, your electric car keys would not be able to function, for example. You could drop them in a supermarket but they would be of no use to a thief, because the keys could only operate in the presence of your aura. Even more ambitiously, Stajano is designing a handheld device that can remember thousands of log-in names and passwords.

This device – which he calls a pico, after the Italian philosopher Giovanni Pico della Mirandola, who was famed for his prodigious memory – would interact automatically with websites for banks, theatres, cinemas, rail companies and others. You would simply hold the device over your screen to access one of your accounts.

The device would, again, be perfectly secure because it could only function inside an individual's electronic aura. If one was dropped or lost, it would provide no security threat and would be simply replaced by a backup.

"Passwords are a disaster today," says Stajano. "You have to remember dozens of them. And they have to be in different cases and include numbers and not be proper dictionary words – and you are not allowed to write them down and on top of that you have to change them every two months. We have to find a way to avoid having to remember them all the time."

The answer is the pico, which can store countless log-ins and passwords, and the aura that will allow the pico to operate securely, says Stajano, who has been given a £1m grant by the European Union to develop a system based on these concepts.

"The pico unlocks only when it finds itself inside an aura of safety around you," he said. "This aura is created by smaller devices that you would have on your person and which you are not likely to take off: your glasses, your watch, and your shoes. They could be in your clothes or jewellery. They could even be in the form of a subcutaneous implant. We call these devices 'pico siblings', and you would have a number of them on your person. Only if there are several present would it be possible for your aura to be generated and your car keys – or your house keys or your pico device – to feel comfortable and remain unlocked."

Other computer researchers are investigating different methods to improve computer security. One popular approach involves the use of biometric systems – retinal scans or fingerprints – to replace passwords.

However, these are open to abuse, Stajano argues. "Biometric systems work well at border controls or in other settings where a person has to be present for scrutiny. But when you are logging on remotely to a system – for example, when you are trying to get into your bank account via your laptop – security could easily be breached. You could use a photograph of a person's eye to fool a retinal scanner, for example, or use a copy of a fingerprint."

Such drawbacks would not affect the Cambridge pico system, though Stajano acknowledged that a lot of work still needed to be done on its development. "Websites will have to be designed in formats that recognise signals from a pico, for example. However, we are consulting with major service providers on this issue."

Similarly, his team is looking at the kind of aura-generating devices that people would be prepared to place around their bodies: badges, jewellery, belt buckles and wristbands. "The problem with computer passwords is only going to get worse," said Stajano. "With our pico project we are going for the long-term solution."